Update OAuth2.md

OAuth2.md

@@ -8,14 +8,19 @@ A way for the `user` to tell `google` to give an access token to `xorismesiti.gr
 2. **Authorization Request**: Redirect to Google's authorization endpoint `accounts.google.com/o/oauth2`, requesting the user's data
 3. **User Login and Consent**: User login to Google and grants permissions.
 4. **Authorization Code Response**: Google redirects back to your platform `xorismesiti.gr/callback` with an authorization `code`.
-5. **Access Token Request**: Exchange the authorization `code` for an access `token`.
+5. **Access Token Request**: Exchange the authorization `code` for an `access_token`.
-6. **Access Protected Resources**: Use the access `token` to fetch the user's Google profile and email from `googleapis.com/oauth2`
+6. **Access Protected Resources**: Use the `access_token` to fetch the user's Google profile and email from `googleapis.com/oauth2`
-7. **Token Refresh** (Optional): If the `token` expires, use the `refresh token` to get a new access `token`.
+7. **Token Refresh** (Optional): If the `access_token` expires, use the `refresh token` to get a new `access_token`.
 
-# 1. Authorization Request (User Initiates Login)
 
-1. A user clicks on the **Login with Google** button on the the app `xorismesiti.gr`.
+
-2. The app request permission to access certain Google APIs (like the user's email, profile, etc.).
+
+# 1. [Frontend] Authorization Request: Redirect the user to Google's OAuth Authorization Endpoint
+
+1. Action: The frontend provides a "Login with Google" button.
+2. When the user clicks it, the frontend constructs a URL to Google's OAuth 2.0 authorization endpoint and redirects the user there.
+3. After this redirection, the user will log in to Google and grant permissions (if they haven’t already).
+4. Google will redirect the user back to your specified redirect_uri with an authorization code.
 
 ```sh
 GET https://accounts.google.com/o/oauth2/v2/auth?
@@ -32,17 +37,25 @@ GET https://accounts.google.com/o/oauth2/v2/auth?
 - `scope`: The permissions you're requesting (e.g., email, profile).
 - `state`: A random string to protect against CSRF attacks.
 
-# 2. User Login and Consent
 
-1. The user is redirected to Google's login page.
-2. If they're not already logged in, they will be prompted to enter their Google credentials.
-3. After successful login, the user will be shown a consent screen where they can grant or deny permission for your app to access their Google account (e.g., email and profile information).
 
-**User Action**: The user clicks "Allow" to grant access.
 
-# 3. Authorization Code Response (Google Redirects to Your Platform)
+# 2. Frontend (Next.js): Receive the Authorization Code and Send it to the Backend
 
-1. Google redirects the user back to your platform's redirect_uri `https://xorismesiti.gr/callback` with an authorization_code in the query parameters.
+1. Once the user grants permission,
+2. Google will redirect the user to the `redirect_uri` you specified in the previous step (e.g., https://xorismesiti.gr/api/auth/callback)
+
+The frontend must not directly exchange the `code` for an `access_token`. 
+
+Instead, it sends the `code` to the backend via an API request.
+
+
+
+# 3. Backend (Node.js): Handle Token Exchange
+
+1. The backend makes a `POST` request to Google token endpoint, to exchange the authorization `code` for the `access_token` and optionally a `refresh token`
+2. Ensure you never expose the client_secret to the frontend. This step should always be handled on the backend.
+3. The backend will exchange the `code` for an `access_token` and `refresh_token`, which are sent back to the frontend or stored securely for subsequent API calls.
 
 ```sh
 GET https://xorismesiti.gr/callback?